Securing online transactions via hardware identification

ABSTRACT

A method, program and system are provided for securing electronic transactions. A payment card processor server computer receives a payment authorization request message, the payment authorization request message being generated in response to an electronic payment transaction request made by a user, wherein the payment authorization request message includes first encrypted payment account information for a first payment device. The payment card processor server computer receives a first hardware device ID associated with a first hardware device that generated the payment authorization request message, wherein the first hardware device is associated with a user payment account for the user. The server computer determines that the first encrypted payment account information from the received payment authorization request message matches the first hardware device ID, and the purchase request is completed.

TECHNICAL FIELD

The present invention relates to systems, devices and methods thatfacilitate electronic commerce transactions.

BACKGROUND

Consumers, product and service merchants, purchasing and sales agents,suppliers, manufacturers, credit card and debit card companies and bankshave all seen process improvements including improved payment processesdue to advances in electronic commerce technology. Buyers can now finddesired products through Internet searches and can purchase goods andservices through secure online channels. Transactions may be processedalmost instantly leading to faster delivery of the purchased item, mediacontent, or service.

Credit cards in stores are authenticated by several mechanisms such asphysical possession of the card and signature verification. Online;however, cards do not have these mechanisms available. One aspect ofonline transactions is the common concern of theft of payment accountinformation. Generally the user of a credit card with an online vendorassures possession of the card by entering the expiration date and theCVV code. Absent some means of verifying the user of the card, onlinecredit card use is very susceptible to fraud. Someone who knows the cardnumber and CVV code can use the card without the owner's permission.

Accordingly, e-commerce systems typically include, when the user choosesto make a purchase, the establishment of an encrypted tunnel between themerchant and the customer so that payment account information may betransmitted safely. Typically, a secure page is provided to the customerto prompt the customer to enter a payment account number and otherrequired account information. A merchant server then validates theaccount information as a part of completing the transaction. Thereafter,a purchase confirmation is generated in one of a variety of formats tothe customer.

SUMMARY

The present invention provides a method, program and system for securingelectronic transactions. A payment card processor server computerreceives a payment authorization request message, the paymentauthorization request message being generated in response to anelectronic payment transaction request made by a user, wherein thepayment authorization request message includes first encrypted paymentaccount information for a first payment device. The payment cardprocessor server computer receives a first hardware device ID associatedwith a first hardware device that generated the payment authorizationrequest message, wherein the first hardware device is associated with auser payment account for the user. The server computer determines thatthe first encrypted payment account information from the receivedpayment authorization request message matches the first hardware deviceID, and the purchase request is completed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a functional diagram that illustrates a payment cardauthorization process that can support a typical e-commerce transactionaccording to the prior art.

FIG. 2 is a functional block diagram of a system that illustrates aprocess flow for an electronic payment authorization system according toan embodiment of the present invention.

FIG. 3 is a functional block diagram of a system that illustrates aprocess for creating an established association between an authorizedhardware device and a payment account according to one embodiment of theinvention.

FIG. 4 is a functional block diagram of a computing device that isoperable operations and functionality as described in relation to thevarious aspects of the embodiments of the invention.

FIG. 5 is a functional block diagram of a network operable forestablishing and supporting electronic transactions according to anembodiment of the present invention.

FIG. 6 is a flow chart that illustrates a method for accessing andactivating a service to enhance electronic transactions using hardwareidentification according to an embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 is a functional diagram that illustrates a payment cardauthorization process that can support a typical e-commerce transactionaccording to the prior art. As illustrated in FIG. 1, a cardholder 1initially presents a payment card 2 to a merchant point of sale orInternet terminal 3. Specifically, the card 2 is presented to a point ofsale terminal 3 or, as described previously, the account information ispresented to the terminal through secured data entry over the Internet.Thereafter, the merchant produces card and payment information 4 to anacquirer server 5. An acquirer is a payment card association member thatinitiates and maintains relationships with merchants that accept paymentcards. Thereafter, the acquirer server 5 produces an authorizationrequest 6 to a payment card company server 7 for review. The paymentcard company then sends the authorization request 6 for review 8 to theappropriate payment card issuer 9. The payment card issuer then issuesan approval or denial that is propagated back to the merchant.

To provide enhanced security when completing online transactions,additional verifications can be incorporated in accordance with thisinvention. Rather than just providing the credit card information whichcan be easily compromised, a user can add additional security to theuser's account by complementing this existing verification withhardware-based verification as well. When completing an onlinetransaction, the user will authenticate to the retailer via the creditcard information and the user's device will provide a unique hardwareidentifier to the online retailer during the transaction. This hardwareidentifier may, for example, take the form of a SIM card id (ISSI) in amobile device, a unique network-based ID such as a MAC address, or theserial number of the laptop being used to complete the transaction.Other forms of hardware identification may be employed. The retailer maythen verify with the credit card issuer that the provided credit cardinformation and the device identifier are linked together and thepayment can be completed. Likewise, multiple credit cards and multiplehardware devices may be linked in this manner.

FIG. 2 is a functional block diagram of a system 10 that illustrates oneembodiment of a process flow for an electronic payment authorizationsystem according to an embodiment of the present invention. The paymentmethod described in FIG. 2 is provided only as an example is notintended to limit the present invention to any specific type oftransaction method other than those features set forth in the appendedclaims. The electronic payment authorization feature supported by thesystems, networks, devices and methods of the various embodiments of theinvention allow a user to initiate a purchase of an advertised item byinteraction with a hardware device, such as a phone, tablet, laptop,personal computer, etc., that may established an association with apayment account enabling the user to manually enter necessary paymentaccount information.

To achieve this functionality, devices, systems, networks, and/orassociated method steps generally support a process to generate apayment account that has an established association with a specifichardware device. References herein to a hardware device are referencesto any type of device that can communicate over an IP network, a publicnetwork including the Internet, cable TV, satellite TV networks, andother types of networks that support data communications. The paymentaccounts may be card based in the form of a plastic bank card, a smartcard, a dedicated SIM card, or may be in an electronic format and notrequire a physical form factor (i.e., electronically stored andencrypted account information). Additionally, while the embodimentsshown typically refer generally to a hardware device it should beunderstood that a software based module that operates with generichardware (for example, a personal computer, laptop, cell phone, smartphone, tablet, etc.) may serve as the hardware device described thatsupports operation described in relation to at least one of theembodiments of the invention.

Generally, the system and processes described with reference to FIG. 2illustrate a process that with which a hardware device supports anelectronic purchase transaction, wherein the purchase transaction ismade by an authorized hardware device. Hardware device 14, which may beany one of a cell phone, personal computer, tablet, laptop, etc., may beconfigured to send and receive transactional information over a computernetwork, a data packet network, a cable network, a satellite network, ora traditional broadcast television network. Hardware device 14 may alsoreceive, simultaneously or separately, media via a plurality oftransmission channels. For example, server 22 may receive broadcastInternet media, advertisements, news articles, social media, searchengines, as well as television programming, movies, music, etc. over acable network cable connection or as a wireless broadcast transmissionreceived via wired or wireless communication. The server 22 may convertthe received broadcast transmission programming to a packet format fordelivery to hardware device 14 via a computer network. In addition,server 22 may deliver media received from other media sources tohardware device 14 over the data packet network or the computer network.

Server 22 produces all varieties of media and advertising as well aspurchase options (collectively “advertisement”) to hardware device 14for display upon an associated monitor or display. A purchase selectionby the user by interaction with the hardware device 14 in response to anadvertisement results in hardware device 14 generating a purchaseselection message 30 identifying a specific advertisement or product.

Payment account information is associated with a payment device 34 thatis owned by or otherwise controlled by a user to facilitate electroniccommerce, such as an online purchase of a product or service. Thepayment account information includes traditional payment card data suchas an account holder's name, an account number, an expiration date, aCVC number, etc. The types of data stored by payment device 34 mayinclude the magnetic stripe equivalent data or a payment account number,account or card expiration date, usage limits including purchase amountsor totals, a permanent ID of an authorized device that has anestablished association with the payment account, issuer ID, paymentaccount processor ID, and personal identification number. Additionally,in one embodiment, a user mailing address and a user billing address isincluded. The payment account processor is a company that processespayment account transactions. Historically, such processing has been onthe behalf of payment card issuer companies such as banks and otherfinancial institutions. Accordingly, hardware device 14 is operable toreceive the account information from payment device 34 and to producethe payment account information within message 30.

In one embodiment in which a payment account is not associated with aphysical form factor such as a plastic credit card or SIM card, apayment account secured software module may be installed into thehardware device 14 to support other purchase features.

The hardware device 14 includes an identifying number that is apermanent identification number of the hardware device 14. For example,the hardware device 14 identifying number may be a serial numberassigned to hardware device 14. One aspect of this identifying number isthat the number is non-modifiable. In an alternate embodiment in which ahardware device comprises a software based module containing the paymentaccount information (for example, one installed in a personal computer),the hardware device identifying number is a non-modifiableidentification number associated with the software based hardwaredevice.

In response to receiving purchase selection message 30, server 22transmits message 42 to a payment device management server 46. Message42, which operates as a purchase selection indication, includes thehardware device ID and the payment account information. Message 42 maybe the same as purchase selection message 30 or may be different butbased upon message 30. Message 42 may include additional informationsuch as a billing and shipping address associated with the paymentaccount. Payment device management server 46 then communicates with acorresponding merchant e-commerce server 50 based upon the purchaseselection massage 42 and transmits an order 54 to merchant e-commerceserver 50. Here, order 54 is one for which payment has not yet beenauthorized or approved. Merchant e-commerce server 50 then engages inpayment authorization and settlement communications 58 with a financialpayment network 62 to complete the transaction and, more specifically,to initially receive payment authorization and subsequently paymentsettlement.

FIG. 3 is a functional block diagram of a system 80 that illustrates aprocess for creating an established association; i.e., a transactionauthorization and protection service, between an authorized hardwaredevice and a payment account according to one embodiment of theinvention. The figures and corresponding text are directed to a hardwaredevice 14 that is capable of receiving data and communicating over atleast one of a plurality of network types. In one specific embodiment,hardware device 14 (as described here in FIG. 3) is a personal computer(PC). Alternatively, the hardware device may be a cellphone, a tablet, alaptop, or other communication device. Additionally, in the describedembodiment of FIG. 3, the payment account is associated with a paymentdevice 34 illustrated by way of example as a credit card 34. Generally,a process of system 80 supported according to an embodiment of thepresent invention is one that establishes an association; e.g., asecurity link, between a user payment account and an authorized hardwaredevice 14, such as PC 14. After such association is made, a purchaseselection message 42 (FIG. 2) may be made for the specified user accountby the authorized hardware device 14 and the system of this inventionrecognized the security link that has been made between the hardwaredevice 14 and the payment device 34, thereby providing an additionallayer of security for the payment device 34 to avoid fraud andunauthorized purchases using the payment device 34.

The process begins with a user enrolling in a hardware authenticationprogram through the credit card provider or other suitable agency forauthorization. During this enrollment, the user may choose to eitherrequire (1) hardware authentication for all online purchases, or (2)only require hardware authentication on websites that support this formof authorization. During enrollment, the user may select a range ofmonetary transactions conducted electronically via said computer,whereby a user may require hardware authentication for only certainonline purchases. For example, the user may download and install devicedrivers/software from the credit card provider or other suitable agencyonto the hardware device 14. This software may then be used to link thehardware device 14 to each desired payment device 34; e.g., credit card.Each payment device 34 may be linked to many hardware devices 14. Whenlinking a hardware device 14 to a payment device 34, the hardwaredevice's unique hardware ID is hashed and is sent to the payment deviceissuer's database where the security link between hardware device 14 andpayment device 34 is stored.

In accordance with an embodiment of the present invention, when makingan online or electronic purchase, the user will allow (e.g., via a userinput such as acknowledging a button or scanning a fingerprint) theon-board driver to send a hash of the unique hardware ID for hardwaredevice 14 to the retailer. The user will thus provide the hardware ID incombination with the payment device 34 information to the retailer. Theretailer, in turn, will verify with the payment device 34 issuer that:(1) the payment device 34 information is valid, and (2) that theprovided hardware ID matches up with a linked ID hash of the associatedpayment device 34. Upon verification that the provided payment deviceinformation and the hardware ID hash are valid and linked, the onlinepurchase proceeds as expected.

An exemplary process of ordering a product and/or service is illustratedin FIG. 3, whereby a user generates an application 84 for a new paymentaccount and produces the application 84 to a payment device processor88. Payment device processor 88 is, for example, a credit card companythat processes credit cards for issuer companies such as banks and otherfinancial institutions or for the bank itself through payment cardprocess server computer 88 a. In general, references herein to “paymentdevice processor” are references to payment device processing entitiesor companies. The user may utilize a web based interactive program ormay physically deliver a paper application to the payment deviceprocessor 88, which then produces processed application 92 in anelectronic form to bank 96 for processing. Processed application 92 isbased on application 84.

While the example of FIG. 3 illustrates the user providing theapplication directly to payment device processor 88, it should beunderstood that the user may also deliver the application to any otherentity that subsequently provides the application to the payment deviceprocessor 88 including bank 96 or other financial provider. Accordingly,payment device processor 88 generates a processed application 92 to bank96. Bank 96 then approves or denies processed application 92.

Upon approving processed application 92, bank 96 generates an approval100 to payment device processor 88. Bank 96 may also generate a paymentdevice request 104 to payment device personalization service 108. Uponreceiving approval 100, payment device processor 88 generates a new usernotification 112 to a product and/or service provider 116. In analternate approach, bank 96 generates and transmits new usernotification 112 to service provider 116 after bank 96 approvesprocessed application 92. Product/service provider 116 then transmits anorder 120 to a distribution center 124. Distribution center 124 thenships the product and/or service to the user 100. The product and/orservice may encompass any variety of merchandise available over theInternet or otherwise available for purchase by the user 100.

In one embodiment of the invention, payment device 34 is linked to orassociated with a serial number or other identification number ofhardware device 14. This serial number is a non-modifiable number and ishardware based. Accordingly, subsequent purchase orders can only beapproved if the hardware ID number associated with the payment device 34and the hardware ID of the hardware device match when a purchaseselection is made by an authorized hardware device 14 in one embodimentof the invention. The process includes product/service provider 116providing the hardware ID to either bank 96 or payment device processor88 for delivery to payment device personalization service 108. Ingeneral, the ID of the authorized payment device 14 must match thehardware ID of a hardware device 14 that generates a purchase selectionmessage for an account having an established association with thehardware device before a purchase approval can be generated.

Payment device personalization service 108 is, in one embodiment, anelement of a network operable to generate personalized payment devicesthat include account information as well as encryption keys and otherinformation to support the creation of secure payment devices 34.

The methods and apparatus of the embodiments of the invention areapplicable to Internet based hardware devices that operably couple to anassociated server from which media content or associated products orservices may be purchased over a public network. For example, theconcepts herein are applicable to game systems such as the Sony Wii®,Gamecube®, and Xbox® and other similar systems. Generally, though, mediacontent and advertisements for products and services are produced to adisplay device to allow a user to make purchases associated with themedia content and advertisements merely by placing an online order. Adisplay for displaying media with advertising may comprise any knowndisplay device including television sets, traditional monitors, LCDdisplays, or projectors. These displays may be separate or integratedinto the hardware device 14. For example, the display may be an LCDscreen of an audio player such as an MP3 player. Many such systemsinclude an ability to communicate over an IP network though the abilityto communicate over an IP network is not required. Generally, theembodiments include any system that is operable to deliver media to theuser device and to receive a purchase indication from the user devicethrough the same or a different network while a purchase transaction ispending.

FIG. 4 is a functional block diagram of a device 130 that is operable toperform the operations and functionality as described in relation to thevarious aspects of the embodiments of the invention. For example, device130 may be used to receive and process an application for a paymentaccount that is to be associated with hardware device 14 according toone embodiment of the invention. While device 130 is described as adevice for processing an application for a payment account, thestructure and functionality of device 130 may be applied to eachcomputer device or server described here in this specification inrelation to prior and subsequent figures. Device 130 includes aninput/output module 132 operable to receive user inputs from a keyboard,mouse and other user input devices and further to generate displaysignals and/or audio signals for display on a display device and forplaying sound through a speaker system, respectively, to create a userinterface with device 130. As such, device 130 is operable to receive anapplication directly from a user in addition to receiving theapplication over the Internet. A processing module 134 is operable tocommunicate with input/output module 132 and to process incoming signalsbased upon user input and upon signals received over the Internet.Memory 136 is operable to store computer instructions and data.

The processing module 134 may be a single processing device or aplurality of processing devices. Such a processing device may be amicroprocessor, micro-controller, digital signal processor,microcomputer, central processing unit, field programmable gate array,programmable logic device, state machine, logic circuitry, analogcircuitry, digital circuitry, and/or any device that manipulates signals(analog and/or digital) based on hard coding of the circuitry and/oroperational instructions. The processing module may have an associatedmemory and/or memory element, which may be a single memory device, aplurality of memory devices, and/or embedded circuitry of the processingmodule. Such a memory device may be a read-only memory, random accessmemory, volatile memory, non-volatile memory, static memory, dynamicmemory, flash memory, cache memory, and/or any device that storesdigital information.

Note that when the processing module 134 implements one or more of itsfunctions via a state machine, analog circuitry, digital circuitry,and/or logic circuitry, the memory and/or memory element storing thecorresponding operational instructions may be embedded within, orexternal to, the circuitry comprising the state machine, analogcircuitry, digital circuitry, and/or logic circuitry. Further note that,the memory element stores, and the processing module executes, hardcoded and/or operational instructions corresponding to at least some ofthe steps and/or functions illustrated in FIGS. 2-3 and in the Figuresthat follow FIG. 4.

Continuing to refer to FIG. 4, processing module 134 of device 130 isoperable to retrieve computer instructions from memory 136 whichinstructions define operational logic of device 130 including logic forperforming the method steps of at least one embodiment of the inventiondescribed herein this specification. For example, the logic defined bythe computer instructions support application processing for paymentaccounts that will be associated with a hardware device 14. Finally,processing module 134 is operable to engage in wireless and wiredcommunications through various data packet networks and wirelesscommunication networks via network communication module 138 to supportthe various method steps described herein.

More specifically, processing module 134 is operable to communicate withthe input/output module 132, network communication module 138, andmemory 136 to execute the computer instructions stored within memory136. Based upon at least one of the stored data in memory 136, thereceived data from network communication module 138, and the user dataentry received from input/output module 132, processing module 134 isoperable to receive and process an application for a hardware device 14associated payment account, transmit an approved application indication,and support or establish an established association between the paymentaccount and hardware device 14.

FIG. 5 is a functional block diagram of a network operable forestablishing and supporting electronic transactions according to anembodiment of the present invention. Network 140 generally comprisesfinancial network devices that interact with service provider devices,merchant devices and user devices having an ability to establish andsubsequently support a purchase selection. More specifically, thenetwork elements or devices of network 140 are operable to initiallysupport creation of personalized payment cards and to subsequentlysupport electronic transactions using the payment cards. Here, thepayment device has the data that is partially encrypted to allow accessto certain types of data while protecting other types of information.Examples of payment data which may be fully protected, partiallyprotected or not protected all according to implementation includepayment account number, expiration date, usage limits including purchaseamounts or totals, a permanent ID of an authorized device that has anestablished association with the payment account, issuer ID, paymentaccount processor ID, and personal identification number. One aspect ofnetwork 140 is that network 140 is operable to support an applicationand account creation process that results in a payment account having anestablished association with a specified user hardware device from whicha user may initiate purchase transactions using the payment account.

Network 140 includes a server device 142, a user device 144, a responseprocessor 146, and a merchant device 148 that are all coupled tocommunicate through one or more public networks 150. Server device 142is operable to provide content and tagged advertisements to userhardware device 144.

Server device 142 can be, for example, a device that delivers media byway of wireless communication channels and/or wired networks. Thewireless networks can comprise the wireless cellular networks, satellitebased wireless networks, or even public wireless local area networks andwireless wide area networks. The wired networks can be any knowntechnology including cable networks for delivering so called broadcasttelevision programming content, the public switched telephone networks,or computer and data networks such as Internet Protocol networks.According to implementation, these various types of networks can be usedeither for delivery of media content, delivery of communication messagesthat support an electronic transaction, or both. For example, one typeof network may be used for delivering the media content while another isused to conduct purchase related communications. Alternatively, one typeof network may be used for both.

Continuing to refer to FIG. 5, network 140 includes an acquiring entitydevice 152 of a payment card acquirer company that is operable tocommunicate with merchant device 148 over public network 150 as well aswith a payment account processor entity device 154 or 156 of a paymentaccount processor company by way of a proprietary network 158. Acquiringentity device 152 includes a mapping of user payment accounts withtransaction processing entities such as credit card processingcompanies.

A proprietary interface 160 is utilized to enable acquiring entitydevice 152 to communicate through proprietary network 158. An issuerdevice 162 also is coupled to communicate through both the publicnetwork 150 and through proprietary network 158 by way of interface 164.Similarly, a payment device personalization service device 166 iscoupled to communicate through both the public network 150 and throughproprietary network 158 by way of interface 168. Finally, as shown, eachtransaction processor entity device 154 is operable to communicate withone or more databases that include payment account information and apermanent ID of a hardware device from which authorized purchasetransactions may be initiated.

In operation, server device 142 is operable to produce media withproducts or services that may be purchased by a user. Accordingly, userhardware device 144 is operable to receive and play the media contentfor advertisements or advertised items. Hardware device 144 is alsooperable to produce purchase selection indications to server device 142with the advertisements that correspond to the purchase selections. Inan alternate embodiment, the purchase selection indications are producedto advertisement response processor 146. Here, a first type of publicnetwork delivers media to user hardware device 144 and a second type ofnetwork delivers user hardware device responses to server device 142 orto advertisement response processor 146. A public network 150 is usedfor delivery of the media content though a private network may be usedinstead.

Once either device 142 or 146 receives a purchase selection indication,device 142 or 146 is operable to forward the purchase selectionindication to merchant device 148 over public network 150. Merchantdevice 148 is then operable to generate and provide a purchaseauthorization request to acquiring entity device 152. Acquiring entitydevice 152 then forwards the purchase authorization request to atransaction processor entity device 154 by way of proprietary network158. The transaction processing entity device then performs severalauthorization processing steps including evaluating account standing andverifying that all authorization associated data appears to be properaccording to implemented guidelines. Transaction processor entity device154 then forwards the authorization request to a payment account issuerdevice 162. Payment account issuer device then makes a finalauthorization decision to approve or deny the authorization request.

User hardware device 144 is operable to provide payment accountinformation and an ID of the user hardware device 144 along with thepurchase selection indication. Accordingly, at least one of the serverdevice 142, the advertisement response processor 146, the acquiringentity device 152 and the issuer device 162 is operable to compare theuser hardware device ID to the payment account information as a part ofdetermining whether to approve (or forward) the authorization request.

Server device 142 is operably disposed to communicate through publicnetwork 150 with merchant device 148 that is identified by theadvertisement. Merchant device 148 is further coupled to communicateover public network 150 with acquiring entity device 152 to initiatetransaction approval and settlement processing. Generally, acquiringentity device 152 is operable to receive the authorization request for apurchase transaction and to communicate with at least one device in afinancial network through a proprietary interface and/or network torequest and receive a purchase authorization approval.

An additional aspect of the operation of network 140 is that any ofdevices 142, 148, 154 and 162 is operable to provide account applicationinformation including at least a portion of an account number directlyor indirectly to payment device personalization service device 166.Payment device personalization service device 166 is operable to receivethe permanent ID of user hardware device 144 to embed the permanent IDwithin the data stored within the payment device 34. For example, the IDmay be stored in a central server along with other account informationto create an established association between the account and the userhardware device 144, or the ID may be stored in an encrypted form in apayment device along with other account information to create anestablished association between the account and the user media device144.

In an alternate embodiment, an established association between theaccount and the user hardware device may be created through an initialcommunication. Here, devices 154 and 162 are operable to establish acommon encryption key with one of user hardware device 144 or paymentdevice 34 to generate an encryption key for protecting data in purchasetransactions initiated by the (authorized) user hardware device. Thisencryption key is then used to protect at least a portion of the accountinformation. Accordingly, the encrypted portion of the accountinformation will only be properly decrypted if an authorized hardware IDis provided as a part of a purchase selection since the providedhardware ID will be used to select an encryption key for a receivedauthorization request. In general, a user hardware device ID istransmitted as a part of or in association with a purchase selectionand, if the hardware ID is one that has an established association withthe payment account identified in the transaction and/or account data,then the transaction may be approved or forwarded to a different devicefor approval.

FIG. 6 is a flow chart that illustrates a method for accessing andactivating a service to enhance electronic transactions using hardwareidentification according to an embodiment of the present invention. Themethod includes accessing a hardware identification protection service(step 610) by, for example, downloading and installing device driversand/or software from a credit card provider or other suitable agencyonto the hardware device 14 described above. Once the hardware IDprotection service is activated (step 620), the software may be used tolink the hardware device 14 to each desired payment device 34, andconversely, each payment device 34 may be selectively linked to one ormore hardware devices 14 at steps 630, 640.

The method preferably includes establishing a secure communication linkfor securely carrying data between a financial network server and ahardware device 34. The financial network server may be a server such asa financial institution server or a payment card processor server. Theserver and the hardware device communicate with each other to supportthe step of creating an established relationship between the hardwaredevice and the user payment account.

From the perspective of the hardware device, this step includestransmitting a hardware device ID in relation to the payment accountinformation to support creating the established relationship between thehardware device and the user payment account. From the perspective ofthe network server, this step includes receiving the hardware device IDin relation to the payment account information and storing andtransmitting such information to other servers in the financial networkto facilitate processing in which the hardware device ID for a purchaseselection message may be compared to the payment account information asa part of approving and settling a purchase transaction. Such an ID, forexample, may be mapped to an encryption key that is unique for eachauthorized hardware device.

Once the user has accessed and activated the hardware protection serviceaccording to this invention (steps 610, 620) and created the linkbetween the hardware device(s) 34 and the payment device(s) 14 (steps630, 640), the user may then proceed to initiate an electronic paymenttransaction using the authorized hardware device 14 at step 650, whichstep follows the procedures and functions described above with respectto electronic payment transactions. According the present invention, thehardware protections service would validate the transaction by requiringat step 660 both payment device authorization; i.e., encrypted paymentaccount information, and hardware identification verification; i.e.,hardware serial number or other uniquely identifying feature for thehardware device 14. Once the system receives at step 670 the requiredpayment device authorization and hardware identification verification,which are transmitted via the hardware ID protection service, thevalidity of the transaction may be verified and the transaction may becompleted by the appropriate financial or merchant service(s) at step680.

Based on the foregoing description, it will be apparent to those ofskill in the art that the present invention provides enhanced securitywhen conducting online transactions, whereby additional verificationsare incorporated into the transaction. Rather than just providing thecredit card information which can be easily compromised, a user can addadditional security to the user's account by complementing this existingverification with hardware-based verification as well. When completingan online transaction, the user will authenticate to the retailer viathe credit card information and the user's device will provide a uniquehardware identifier to the online retailer during the transaction. Thishardware identifier may, for example, take the form of a SIM card id(ISSI) in a mobile device, a unique network-based ID such as a MACaddress, or the serial number of the laptop being used to complete thetransaction. Other forms of hardware identification may be employed. Theretailer may then verify with the credit card issuer that the providedcredit card information and the device identifier are linked togetherand the payment can be completed. Likewise, multiple credit cards andmultiple hardware devices may be linked in this manner.

The present invention may be a system, a method, and/or a computerprogram product at any possible technical detail level of integration.The computer program product may include a computer readable storagemedium (or media) having computer readable program instructions thereonfor causing a processor to carry out aspects of the present invention.

The computer readable storage medium; e.g. memory 136 of FIG. 4, can bea tangible device that can retain and store instructions for use by aninstruction execution device. The computer readable storage medium maybe, for example, but is not limited to, an electronic storage device, amagnetic storage device, an optical storage device, an electromagneticstorage device, a semiconductor storage device, or any suitablecombination of the foregoing. A non-exhaustive list of more specificexamples of the computer readable storage medium includes the following:a portable computer diskette, a hard disk, a random access memory (RAM),a read-only memory (ROM), an erasable programmable read-only memory(EPROM or Flash memory), a static random access memory (SRAM), aportable compact disc read-only memory (CD-ROM), a digital versatiledisk (DVD), a memory stick, a floppy disk, a mechanically encoded devicesuch as punch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, configuration data for integrated circuitry, oreither source code or object code written in any combination of one ormore programming languages, including an object oriented programminglanguage such as Smalltalk, C++, or the like, and procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The computer readable program instructions may executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer may be connected to the user'scomputer through any type of network, including a local area network(LAN) or a wide area network (WAN), or the connection may be made to anexternal computer (for example, through the Internet using an InternetService Provider). In some embodiments, electronic circuitry including,for example, programmable logic circuitry, field-programmable gatearrays (FPGA), or programmable logic arrays (PLA) may execute thecomputer readable program instructions by utilizing state information ofthe computer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the blocks may occur out of theorder noted in the Figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers or ordinary skill in the art to understand the embodimentsdisclosed herein.

What is claimed is:
 1. A method for securing electronic transactions, comprising: linking, by a payment card processor server computer, a first encrypted payment account information for a first payment device with a first hardware device, thereby establishing said first hardware device as a first authorized hardware device, wherein linking includes receiving, from at least one device driver of said first hardware device, a hash of a first hardware device identifier (ID) by said payment card processor server computer to thereby link said first encrypted payment account information for said first payment device with said first hardware device ID, wherein said first authorized hardware device is linked with said first payment device to enhance security of a monetary transaction conducted electronically via said authorized hardware device; receiving, by the payment card processor server computer, a payment authorization request message, the payment authorization request message being generated in response to an electronic payment transaction request made by a user, wherein the payment authorization request message includes the first encrypted payment account information for the first payment device; receiving, by the payment card processor server computer, the first hardware device ID associated with the first hardware device that generated said payment authorization request message; determining that the first encrypted payment account information from the received payment authorization request message matches said first hardware device ID and confirming the first hardware device is the first authorized hardware device; and approving the payment authorization request message.
 2. The method of claim 1, further comprising: linking a second encrypted payment account information for a second payment device with said first hardware device ID.
 3. The method of claim 1, further comprising: linking said first encrypted payment account information for said first payment device with a second hardware device ID associated with a second hardware device adapted to generate a second payment authorization request message.
 4. The method of claim 1, further comprising: approving the electronic payment transaction request.
 5. The method of claim 1, further comprising: providing the at least one device driver for linking said first encrypted payment account information for said first payment device with said first hardware device ID.
 6. The method of claim 1, further comprising: enrolling the user in a hardware authentication program; and selecting a range of monetary transactions conducted electronically via said first hardware device, wherein hardware authentication is required for only certain monetary transactions.
 7. The method of claim 1, wherein said first payment device is one of a credit card, a debit card, a payment voucher, and a gift card.
 8. A computer program product comprising: a computer-readable storage device; and a computer-readable program code stored in the computer-readable storage device, the computer readable program code containing instructions executable by a processor of a computer system to implement a method for securing electronic transactions, the method comprising: linking a first encrypted payment account information for a first payment device with a first hardware device, thereby establishing said first hardware device as a first authorized hardware device, wherein linking includes receiving, from at least one device driver of said first hardware device, a hash of a first hardware device identifier (ID) to thereby link said first encrypted payment account information for said first payment device with said first hardware device ID, wherein said first authorized hardware device is linked with said first payment device to enhance security of a monetary transaction conducted electronically via said authorized hardware device; receiving a payment authorization request message, the payment authorization request message being generated in response to an electronic payment transaction request made by a user, wherein the payment authorization request message includes the first encrypted payment account information for the first payment device; receiving the first hardware device ID associated with the first hardware device that generated said payment authorization request message; determining that the first encrypted payment account information from the received payment authorization request message matches said first hardware device ID and confirming the first hardware device is the first authorized hardware device; and approving the payment authorization request message.
 9. The computer program product of claim 8, further comprising: linking a second encrypted payment account information for a second payment device with said first hardware device ID.
 10. The computer program product of claim 8, further comprising: linking said first encrypted payment account information for said first payment device with a second hardware device ID associated with a second hardware device adapted to generate a second payment authorization request message.
 11. The computer program product of claim 8, further comprising: providing the at least one device driver for linking said first encrypted payment account information for said first payment device with said first hardware device ID.
 12. The computer program product of claim 8, further comprising: enrolling the user in a hardware authentication program; and selecting a range of monetary transactions conducted electronically via said first hardware device, wherein hardware authentication is required for only certain monetary transactions.
 13. A computer system for securing electronic transactions, the system comprising: a central processing unit (CPU); a memory coupled to said CPU; and a computer readable storage device coupled to the CPU, the storage device containing instructions executable by the CPU via the memory to implement a method of securing electronic transactions, the method comprising the steps of: linking a first encrypted payment account information for a first payment device with a first hardware device, thereby establishing said first hardware device as a first authorized hardware device, wherein linking includes receiving, from at least one device driver of said first hardware device, a hash of a first hardware device identifier (ID) to thereby link said first encrypted payment account information for said first payment device with said first hardware device ID, wherein said first authorized hardware device is linked with said first payment device to enhance security of a monetary transaction conducted electronically via said authorized hardware device; receiving a payment authorization request message, the payment authorization request message being generated in response to an electronic payment transaction request made by a user, wherein the payment authorization request message includes the first encrypted payment account information for the first payment device; receiving the first hardware device ID associated with the first hardware device that generated said payment authorization request message; determining that the first encrypted payment account information from the received payment authorization request message matches said first hardware device ID and confirming the first hardware device is the first authorized hardware device; and approving the payment authorization request message.
 14. The computer system of claim 13, further comprising: linking a second encrypted payment account information for a second payment device with said first hardware device ID.
 15. The computer system of claim 13, further comprising: linking said first encrypted payment account information for said first payment device with a second hardware device ID associated with a second hardware device adapted to generate a second payment authorization request message. 